Chrome is a Google Service that happens to include a Browser Engine

September 22, 2018

Starting with Chrome 69, logging into a Google Site is tied to logging into Chrome.

This is typically the topic where things are complex enough that tweets or 500 character Mastodon toots don’t do it justice. I’d also mention that I prefer to avoid directly linking people’s posts on this, because I dislike the practice of taking discussions out of their original audience and treating them as official or semi-official communications from a given company.

So what changed with Chrome 69? From that version, any time someone using Chrome logs into a Google service or site, they are also logged into Chrome-as-a-browser with that user account. Any time someone logs out of a Google service, they are also logged out of the browser. Before Chrome 69, Chrome users could decline to be logged into Chrome entirely, skipping the use of Sync and other features that require a login and they could use Chrome in a logged-out state while still making use of GMail for example.

Just to spell it out: this means Google logins for Chrome are now de-facto mandatory if you ever login to a Google site. (Clarification: Sync/browser history/password sharing still requires user confirmation to happen, this is purely about the login itself.)

When someone in the security community raised this, it turned out that apparently this is intended behaviour from Google’s side as confirmed by multiple googlers and they were wondering why the new behaviour might feel abusive to some people. Some folks working on Chrome pointed out that most people can’t differentiate between logging into a Google Site and logging into Chrome and this has lead to problems with shared computers, where person A logs into GMail, but person B is logged into Chrome. This prompted Chrome developers to come up with the change that erases the distinction entirely.

It is at this point that I should note that I don’t personally use Chrome, as I felt it was too closely corporate Google even before this change. This is also not a post arguing that “some users can tell the difference, therefor…”, I do believe software should be written with the common users in mind. Interestingly, the common user belief that strongly equates Chrome with a Google Service (and not an application or tool) is probably the more accurate view of Chrome, post release 69. It’s worth wondering from where users got that impression and why.

So if this change is just about bringing Chrome in line with what most users believe anyway, what’s the fuss? Perhaps it’s not about what people believe, but what is right. Perhaps Google doesn’t want Chrome, currently having majority browser market share, to be a neutral platform. A lot of people, developers especially, believe that Chrome is a Google-influenced but more or less neutral tool and then this widespread belief has to be reconciled with the Chrome-as-a-service thinking.

Violating the content vs browser separation layer doesn’t just conform to what a lot of users believe, it also ties what’s happening inside the browser to Google on an unprecedented level, throwing the neutrality of Chrome as a platform into question. What’s the next thing that Google and only Google can make Chrome do? Concerned about shared computers but you’re not Google? There is no neutral API to log someone out from Chrome and prevent data from being synced if it’s about person A logging into Facebook in person B’s Chrome profile.

Sidenote: Most Google services have for me this in common with Facebook: these services are too deeply integrated and impossible to use in part or isolation. It’s either the entire system or nothing, based on how the question of consent is approached. You would like to use GMail (logged in obviously) but Google search, Youtube, Chrome etc without a login? No can do. You selected strict settings in Facebook for your profile data? You’re just an API/permission redesign away from having your choices nullified. Part of me feels that this Chrome shared computer issue that Googlers mentioned is real, but it’s also just too convenient to solve this by tieing Chrome closer to Google, you know?

update:
- Compare the basic (local) and signed-in mode in Google Chrome’s privacy policy. Silently upgrading from basic mode to signed-in mode makes quite a large difference.
- Chromium is apparently also affected by this.
- There is a workaround to disable this behaviour. I deliberately don’t include it here, as that relies on internal flags and the point of this post wasn’t to try to revert this change, but rather to think about Chrome’s direction in general.

update 2: Added a clarification that Sync doesn’t automatically turn on with the autologin.

update 3: Added a link to Matthew Green’s thoughts on this, now that he wrote a post intended for the wider public (as opposed to random tweets).